I was surprised to read this evening that the Apache Web Server just fixed an actively exploited path traversal flaw.

🚨 Apache has disclosed an *actively exploited* Path traversal flaw in the #open­source "httpd" server. Over 112,000 exposed Apache servers run version 2.4.49, and should be upgraded now!
New fix checks for encoded path traversal characters e.g. /../.%2E/https://t.co/1tLNc3LAul pic.twitter.com/mDHLEU3k9N
— Ax Sharma (@Ax_Sharma) October 5, 2021

Apparently, it was introduced over a year ago.

I'm gobsmacked that Apache didn't have a robust suite of tests for this.

Directory Traversal attacks have been a problem for web servers since the beginning. OWASP, PortSwig­ger, and Spanning all have ex­pla­na­tions that you can read. The essence is that you make …continue.

I've been using password managers for at least 15 years to keep track of all my passwords. I have separate, distinct, strong passwords for hundreds of sites, and I've only memorized the handful that I need to actually type regularly.

I started out with the KeePass desktop app originally, but I switched to the online LastPass app about a decade ago. At work, we use 1Password.

When I register for a site, LastPass generates a random password for me, such as:

tV%5joS$U6^uY5xU
T2oEUY!g70Iv1b&I
8kNHg9*A5GMR9%8D

LastPass securely syncs my passwords between machines and devices. Its browser in­te­gra­tion and its Android and iPhone apps mean that I rarely ever have to actually type any of those ugly …continue.

I uploaded some pre­sen­ta­tions to Speak­erDeck.com tonight.

Here are various pre­sen­ta­tions of mine at Speak­erDeck.com and SlideShare.net:

• LKRhash: the design of a scalable hashtable. I spoke about this at NWCPP (video) in June 2012.
• Software Per­for­mance: an Overview. I gave this talk at an internal brownbag at MetaBrite in January 2016.
• Fly­ing­Cloud: Docker containers built with SaltStack. I gave this talk at PuPPy (video) in March 2016.
• Security 101. I gave this talk at an internal brownbag at Cozi in November 2011.

Thanks to Tom Limoncelli, I became acutely aware of USB charge-only cables and condoms. If you plug your phone into an unknown computer to charge the battery, you run the risk of having your phone hijacked by malware. USB transfers data as well as elec­tric­i­ty and you're es­sen­tial­ly giving the computer un­re­strict­ed access to your phone.

Certain USB cables are charge-only and will not pass data. There are also “USB condoms”, which are inserted between the cable and the computer. They not only block data, but they can po­ten­tial­ly charge the battery faster, as they can switch the device into a fast-charging mode. I've ordered a pair from Amazon, as we're …continue.

This website, http://www.georgevreil­ly.com/, is hosted at GitHub Pages. It's actually https://georgevreil­ly.github.io/ but I've configured the former as the “custom domain”, so the latter is un­con­di­tion­al­ly redirected to the custom domain.

GitHub Pages gives me free, fast hosting and an easy pub­li­ca­tion model: I commit the latest changes to my master branch, I push the branch to GitHub, and seconds later, my site is updated. I'm using Acrylamid to generate the content from re­Struc­tured­Text source on the blog branch and ghp-import to commit the HTML to the master branch.

GitHub Pages supports HTTPS as of June 2016, but not for custom domains. There are some hacks but I don't feel like using them. I'm …continue.

During an internal training exercise today, as a sort of one-man Chaos Monkey, I de­lib­er­ate­ly broke a test system by changing a config setting to read:

itemfinder.url = http://test-іtemfinder.example.com/

The correct value should have been:

itemfinder.url = http://test-itemfinder.example.com/

What's that, you say? There's no difference, you say?

There is a difference, but it's subtle. The first i in the URL is 'CYRILLIC SMALL LETTER BYELORUSS­IAN-UKRAINIAN I' (U+0456), not 'LATIN SMALL LETTER I' (U+0069). Depending upon the font, the two is may be visually in­dis­tin­guish­able, very similar looking, or the Cyrillic i may not render.

This is an example of an In­ter­na­tion­al Domain Name Homograph Attack. There are Greek letters and Cyrillic letters that look …continue.

I was sent an invite to Keybase a few weeks, which I accepted tonight.

Keybase Wants To Make Serious Encryption Accessible To Mere Mortals explains:

From a cryp­to­graph­ic standpoint, PGP is rock solid. In practice, using it is very messy. Its complexity has deterred the vast majority of people who might otherwise benefit from using encryption.

The first problem is es­tab­lish­ing a valid identity, especially with other people located oceans away. The second is dis­trib­ut­ing public keys without nefarious types posting al­ter­na­tive keys that appear to be registered to the same person. ... The third issue is getting people to install and use PGP software.

I can now be reached via https://keybase.io/georgevreil­ly. I've proved my …continue.

My LastPass browser plugin just upgraded itself to v4.0. For several years, I've been using LastPass to manage all of my passwords. I have literally hundreds of passwords. I can't even remember half the sites, much less the usernames. With LastPass, I can maintain a strong, distinct password for each site, which is robustly encrypted and backed up in the cloud, and I get good browser in­te­gra­tion and adequate Android in­te­gra­tion. We also use LastPass at work for our individual use and to share cre­den­tials.

There are still a handful of passwords that I have to remember and type, including the master password for my LastPass account, laptop passwords, and GPG passphras­es.

I've …continue.

The Cozi Tech Blog needed some love, so I wrote a post a couple of weeks ago on Security 101 for Developers.

Mis­cel­la­neous links.

• I mentioned Schneier on security theater recently. Via Pavel, I see that Schneier notes that a five-year-old was detained at SeaTac because his name appeared on a no-fly list.

• Male fruit flies, when drunk, become much more likely to court other male fruit flies. Or, Oh God, I was so drunk ...

• Health insurance companies are making out like bandits in Washington state.

• Here's a damning RIAA interview, via Gabriel:

  When asked why the RIAA is going after an easy target--college students--the response made me cringe: "College students have reached a stage in life when their music habits are crys­tal­lized," Duckworth said. "And their ap­pre­ci­a­tion for in­tel­lec­tu­al property has not yet reached its …continue.